Sikur is defining the future of secure communication. Operating globally, it has offices in Latin America, United States, and Europe. Sikur works alongside governments and corporations that believe security is fundamental to the integrity of their work. We believe that security is not only about platforms and digital systems but is a mindset that surrounds every aspect of business.

Search

Tag: Phishing

PayPal Phishing Casts a Wide Net

One of the most successful phishing methods is to co-opt a well-respected brand. PayPal topped the list by a wide margin in a recent analysis of over 100 million endpoints by Comodo Threat Intelligence Lab. PayPal was impersonated in 39% of all such attacks, with Microsoft a distant second at 20%.

Sharing this information is important so that your users know to be more vigilant if they get an email or alert, supposedly from PayPal, Microsoft, or the others in this chart. Some of these phishing websites look quite authentic and may fool even security-minded users. This type of information is a great addition to your security awareness program.

The scale at which these attacks are being deployed is evident in the number of web pages using this type of attack. This analysis discovered 61,767 web pages impersonating these brands for the purpose of phishing. Just over half were taken down by the time this article was written. That still leaves almost 30,000 malicious web pages to lure your users.

6 characteristics that make brands good targets for phishing impersonation

1. Registered user accounts

Brands that have hundreds of thousands of registered user accounts are an inviting target for cybercriminals. Consider, for example, PayPal with 267 million registered user accounts. If an attacker can send phishing emails to 1% of them, that’s 2.67 million chances that a user will click on a link that brings that user to their malicious website. If just 1% of those users click that link, they get 26,700 accounts that they have compromised.

2. Trusted brand

When dealing with a trusted brand, people tend to let their guard down. If a phishing website impersonates a trusted brand well enough, that lower level of user vigilance increases the chances of a successful attack.

3. Access to money

In most cases, this is the ultimate goal. There are other motivations such as hacktivism or cyber warfare.

A cybersecurity researcher who last month warned of a creative phishing campaign has now shared details of a new but similar attack campaign with The Hacker News that has specifically been designed to target mobile users.

Just like the previous campaign, the new phishing attack is also based on the idea that a malicious web page could mimic look and feel of the browser window to trick even the most vigilant users into giving away their login credentials to attackers.

Antoine Vincent Jebara, co-founder and CEO of password managing software Myki, shared a new video with The Hacker News, demonstrating how attackers can reproduce native iOS behavior, browser URL bar and tab switching animation effects of Safari in a very realistic manner on a web-page to present fake login pages, without actually opening or redirecting users to a new tab.

New Phishing Attack Mimics Mobile Browser Animation and Design

As you can see in the video, a malicious website that looks like Airbnb prompts users to authenticate using Facebook login, but upon clicking, the page displays a fake tab switching animation video aimed to trick users into thinking that their browsers are behaving normally.

“The Facebook login page is also definitely fake and is an overlay over the current page that makes it look like an authentic Facebook page,” Jebara said.

“From the moment a user accesses the malicious website, they are manipulated into performing actions that seem legitimate, all with the purpose of building up their confidence to submit their Facebook password at the final stage of the attack.”

If users are not very attentive to details and fail to spot minor differences, they would eventually end up filling the username and password fields on the phishing page, resulting in giving away their social media credentials to the attackers.

Phishing attacks aren’t nearly as successful as they used to be because by now people have learned to look out for the emails that ask them to provide sensitive details. While this is true for emails, it seems that pioneer attackers have embraced other ways of utilizing phishing attacks, namely through messaging services such as WhatsApp, Skype, and even plain old SMS.

Mobile Phishing
Mobile phishing is an issue that shows no signs of abating anytime soon. According to Verizon, 90% of their recorded data breaches began with a phishing attack and right now mobile is an increasingly common attack vector.

Recent research from Wandera shows a new trend among cyber-criminals toward mobile phishing. Every day, dozens of new attacks are detected and many of them last less than a day before being shut down and relocated elsewhere. These phishing attacks share many standard features, notably centering around the use of WhatsApp.

Distribution Methods
Now that there is a widespread awareness of the dangers email-based phishing attacks bring, many savvy cyber-criminals are instead moving on to using other vectors that allow them to attack mobile devices. Many of such attacks center on WhatsApp as both the initial method of delivery and the way to reach more targets after every single success.

It isn’t just the awareness that has led to this shift. Email clients and providers have many built-in tools that identify any potential phishing emails and alert the user or automatically delete the email.

In contrast, there are no such security measures for SMS, or for app-based messaging services. Given the sheer number of different messaging apps out there, it is challenging to develop a catch-all defense against mobile phishing attacks. This results in mobile-based attacks being at least three times more effective than the phishing that takes place through desktop. Without any doubt, mobile providers should make further investments into raising cybersecurity awareness and improving it on mobile.

Exploiting WhatsApp
Unlike with phishing emails, which are often flagged as potentially malicious, there is no filtering or alert system on WhatsApp either. When a user receives a link on WhatsApp, it usually generates a preview of that website’s logo and page title. These are easy for an attacker to fake but might give a phishing message enough of a veneer of legitimacy for the user to get caught off guard.

The majority of cyber attacks begin with one simple phishing email. So will it ever be possible to close this door to hackers, once and for all?

Email is incredibly useful, which is why we all still use it. But chief among its downsides (along with getting caught in a group-cc’d message hell) is that email remains one of the most common routes for hackers to attack businesses.

But if email leaves us so vulnerable to attempts at hacking, why do we stick with it?

“Email is still the main way that two entities who may not have a relationship get together and communicate. Whether it’s a law firm communicating with a business or a candidate applying for a job, email is still the bridge to getting these entities communicating. It’s not going away,” says Aaron Higbee, co-founder and CTO at anti-phishing company Cofense.

As long as email is here, phishing will also remain a problem — and while some phishing campaigns are really sophisticated and based around cyber criminals performing deep reconnaissance on targets, other email-based attacks aren’t so sophisticated — and yet are still worryingly successful.

New MediaPRO study also finds that management performed worse than entry- and mid-level employees in how to handle a suspected phishing email.

Despite concerted efforts by many US organizations to improve security awareness among users, a new study shows they still have a long way to go.

Some 75% of respondents today pose a moderate or severe risk to their company’s data, according to MediaPRO’s third annual State of Privacy and Security Awareness Report, and 85% of finance workers show some lack of data security and privacy knowledge.

Tom Pendergast, chief security and privacy strategist at security awareness and training provider MediaPRO, says the firm surveyed more than 1,000 employees across the United States to quantify the state of privacy and security awareness in 2018. More people fell into the risk category this year than in 2017 – and that number had nearly doubled since the inaugural survey, he says.

“The overall results revealed a trend we weren’t happy to see, that employees performed worse across the board compared to the previous year,” Pendergast says. “While I think there’s a certain amount of security fatigue from news of all the attacks, if in five years I don’t see significant change I will be surprised. There’s both a cultural a business awareness of the need to do good work in this area.”

MediaPRO based its study on a variety of questions that focus on real-world scenarios, such as correctly identifying personal information, logging on to public Wi-Fi networks, and spotting phishing emails. Based on the percentage of privacy and security-aware behaviors, respondents were assigned to one of three risk profiles: risk, novice, or hero.

Here’s a thumbnail of some other notable findings:

1. Employee performance was worse this year across all eight industry verticals measured. Respondents did much worse in identifying malware warning signs, knowing how to spot a phishing email and social media safety.

Google is rolling out a sweeping redesign of its popular Gmail service, but federal cybersecurity authorities warn that a key new feature on the system could make its 1.4 billion users more susceptible to dangerous phishing attacks that compromise users’ vital personal information.

The Department of Homeland Security issued an intelligence note, obtained by ABC News, warning users of the “potential emerging threat … for nefarious activity” with the new Gmail redesign. Because the new feature — called “Confidential Email” — requires users to click a link in order to access confidential emails, according to the DHS alert issued May 24, Google has essentially created an opportunity where “malicious cyber actors could exploit the recent Gmail redesign.”

The intelligence note was distributed to law enforcement personnel and those who handle cybersecurity for private computer networks. It was published as part of DHS’ ongoing effort to emerging threats that could pose a danger to critical computer infrastructure like the computer networks operated by government agencies, banks and major businesses.

“We have reached out to Google to inform them of intelligence relevant to their services and to partner to improve our mutual interests in cybersecurity,” Lesley Fulop, a Department of Homeland Security spokeswoman, told ABC News.

DHS has raised concerns, Google officials said, though stressing that the new features pose no additional security risk beyond what people are already exposed to online.

“Confidential Email” gives recipients access to content via a link and is designed to allow users to prevent the forwarding, copying, downloading or printing of emails; set an expiration date for confidential emails so the email is no longer accessible after that date; protect emails by allowing users to require recipients to go through a two-step security protocol; and revokes access to confidential emails – even after they have been sent — so they can no longer be accessed by the recipient.

Phishing works no matter how hard a company tries to protect its customers or employees.

Security researchers have been warning of a new phishing attack that cybercriminals and email scammers are using in the wild to bypass the Advanced Threat Protection (ATP) mechanism implemented by widely used email services like Microsoft Office 365.

Microsoft Office 365 is an all-in-solution for users that offers several different online services, including Exchange Online, SharePoint Online, Lync Online and other Office Web Apps, like Word, Excel, PowerPoint, Outlook and OneNote.

On the top of these services, Microsoft also offers an artificial intelligence and machine learning powered security protection to help defend against potential phishing and other threats by going one level deep to scan the links in the email bodies to look for any blacklisted or suspicious domain.

But as I said, phishers always find a way to bypass security protections in order to victimize users.

Just over a month ago, the scammers were found using the ZeroFont technique to mimic a popular company and tricked users into giving away their personal and banking information.

In May 2018, cybercriminals had also been found splitting up the malicious URL in a way that the Safe Links security feature in Office 365 fails to identify and replace the partial hyperlink, eventually redirecting victims to the phishing site.

One of Iowa’s main hospital and clinic systems has notified about 1.4 million patients that their personal information might have been breached.

UnityPoint Health officials said hackers used “phishing” techniques to break into the company’s email system. The company, based in West Des Moines, said the hackers could have obtained medical information, such as diagnoses and types of care, that was included in emails.

“While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information,” RaeAnn Isaacson, UnityPoint’s privacy officer, said in a press release Monday.

The hackers also might have obtained some patients’ financial information, such as bank account numbers, UnityPoint said.

The hackers used official-looking emails to obtain employees’ passwords, leading to the breach, the company said. The company said after it discovered the problem May 31, it hired outside experts and notified the FBI.